{"id":"CVE-2025-27522","details":"Deserialization of Untrusted Data vulnerability in Apache InLong.\n\nThis issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it.\n\n[1] \n\n https://github.com/apache/inlong/pull/11732","aliases":["GHSA-r324-vgr5-73c9"],"modified":"2026-04-12T15:36:23.321350Z","published":"2025-05-28T08:15:21.540Z","references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/s4dnmq3gwcjocxf85qk190knlzd26jby"},{"type":"REPORT","url":"https://github.com/apache/inlong/pull/11732"},{"type":"FIX","url":"https://github.com/apache/inlong/commit/86c893cfd8f7ba9ffce5d20abef6cd360f502fdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/inlong","events":[{"introduced":"0"},{"fixed":"86c893cfd8f7ba9ffce5d20abef6cd360f502fdf"}]}],"versions":["inlong-sdk/dataproxy-sdk-twins/dataproxy-sdk-golang/v1.0.0","inlong-sdk/dataproxy-sdk-twins/dataproxy-sdk-golang/v1.0.0-rc.4"],"database_specific":{"vanir_signatures":[{"digest":{"function_hash":"330014795989017731365637553568299329638","length":3879},"deprecated":false,"source":"https://github.com/apache/inlong/commit/86c893cfd8f7ba9ffce5d20abef6cd360f502fdf","target":{"function":"testFilterSensitive","file":"inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java"},"signature_type":"Function","id":"CVE-2025-27522-406e9789","signature_version":"v1"},{"digest":{"function_hash":"30016277004068194237363209504638187085","length":261},"deprecated":false,"source":"https://github.com/apache/inlong/commit/86c893cfd8f7ba9ffce5d20abef6cd360f502fdf","target":{"function":"containSensitiveKey","file":"inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/util/MySQLSensitiveUrlUtils.java"},"signature_type":"Function","id":"CVE-2025-27522-6dc468c4","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["291919796634205278697421361823279634749","234197014509822500510772843144597538218","51459997764898905614588498081541463717","112293563504342978121554883362513854444","147297442087133441183406575786486541767"]},"deprecated":false,"source":"https://github.com/apache/inlong/commit/86c893cfd8f7ba9ffce5d20abef6cd360f502fdf","target":{"file":"inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/util/MySQLSensitiveUrlUtils.java"},"signature_type":"Line","id":"CVE-2025-27522-a3958aa6","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["86224597110922167188246913039204399049","319402781962628971720666493684364606673","88261001503546872201920635454675786912","205417793798771382010058175276350497008"]},"deprecated":false,"source":"https://github.com/apache/inlong/commit/86c893cfd8f7ba9ffce5d20abef6cd360f502fdf","target":{"file":"inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java"},"signature_type":"Line","id":"CVE-2025-27522-b0217815","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T15:36:23Z","unresolved_ranges":[{"events":[{"introduced":"1.13.0"},{"fixed":"2.2.0"}]},{"events":[{"introduced":"1.13.0"},{"last_affected":"2.1.0."}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27522.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}